Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Oregon Amends Data Breach Notification Law to Apply to Vendors

Share

On May 24, 2019, Oregon Governor Kate Brown signed into law Senate Bill 684, which requires vendors, service providers and other entities that maintain or possess consumers’ personal information to notify consumers of a security breach.

Effective January 1, 2020, the Oregon Consumer Identity Theft Protection Act, which the amendment renames as the Oregon Consumer Information Protection Act (the “Act”), requires vendors that discover a breach of security or have reason to believe that a breach of security has occurred to (1) notify any contracted covered entities as soon as practicable but no later than 10 days after discovering (or having reason to believe that) a breach has occurred and (2) notify the Attorney General if a breach or suspected breach involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.

As amended, the Act defines a “covered entity” to mean an individual or entity that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” In addition, “vendor” is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.”

The amendment also updates the Act’s definition of “personal information” to include user names or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification. It also clarifies that compliance with security measures under federal data security laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), provides covered entities and vendors alleged to have violated the Act with an affirmative defense even as to information protected under the Act but not under federal laws.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

June 6, 2019
Written by: Discerning Data Editorial Board
Category: Cybersecurity
Tags: data breach, data privacy, data security

Post navigation

Previous Previous post: U.S. Securities and Exchange Commission Issues Risk Alert Regarding Safeguarding Customer Records and Information Stored on Cloud-Based Platforms
Next Next post: Nevada’s Privacy Law Granting Opt-Out Rights Is First Out of the Gate

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT